$OpenBSD: patch-db_c,v 1.1.1.1 2009/02/17 00:16:04 sthen Exp $

http://www.cvstrac.org/cvstrac/chngview?cn=994
Avoid using sqlite internal functions.

http://www.cvstrac.org/cvstrac/chngview?cn=932
chng and inspect records are viewable by people with wiki read
permissions, not checkout.

http://www.cvstrac.org/cvstrac/chngview?cn=969
Use sqlite3_free() not free() on functions returning memory strings.

--- db.c.orig	Thu Aug  7 01:15:31 2008
+++ db.c	Thu Aug  7 01:15:21 2008
@@ -31,6 +31,7 @@
 #include <errno.h>
 #include <sqlite3.h>
 #include <string.h>
+#include <strings.h>
 #include <wchar.h>
 #include "config.h"
 #include "db.h"
@@ -125,7 +126,6 @@ static int query_authorizer(
 ** routine NULLs-out fields of the database we do not want arbitrary
 ** users to see, such as the USER.PASSWD field.
 */
-extern int sqlite3StrICmp(const char*, const char*);
 static int access_authorizer(
   void *NotUsed,
   int type,
@@ -141,34 +141,34 @@ static int access_authorizer(
     return SQLITE_OK;
 #endif
   }else if( type==SQLITE_READ ){
-    if( sqlite3StrICmp(zArg1,"user")==0 ){
-      if( sqlite3StrICmp(zArg2,"passwd")==0 || sqlite3StrICmp(zArg2,"email")==0 ){
+    if( strcasecmp(zArg1,"user")==0 ){
+      if( strcasecmp(zArg2,"passwd")==0 || strcasecmp(zArg2,"email")==0 ){
         return SQLITE_IGNORE;
       }
-    }else if( sqlite3StrICmp(zArg1, "cookie")==0 ){
+    }else if( strcasecmp(zArg1, "cookie")==0 ){
       return SQLITE_IGNORE;
-    }else if( sqlite3StrICmp(zArg1, "config")==0 ){
+    }else if( strcasecmp(zArg1, "config")==0 ){
       return SQLITE_IGNORE;
-    }else if( !g.okSetup && sqlite3StrICmp(zArg1, "access_load")==0 ){
+    }else if( !g.okSetup && strcasecmp(zArg1, "access_load")==0 ){
       return SQLITE_IGNORE;
-    }else if( (!g.okWrite || g.isAnon) && sqlite3StrICmp(zArg1,"ticket")==0
-        && sqlite3StrICmp(zArg2,"contact")==0){
+    }else if( (!g.okWrite || g.isAnon) && strcasecmp(zArg1,"ticket")==0
+        && strcasecmp(zArg2,"contact")==0){
       return SQLITE_IGNORE;
-    }else if( !g.okCheckout && sqlite3StrICmp(zArg1,"chng")==0 ){
+    }else if( !g.okRead && strcasecmp(zArg1,"chng")==0 ){
       return SQLITE_IGNORE;
-    }else if( !g.okCheckout && sqlite3StrICmp(zArg1,"filechng")==0 ){
+    }else if( !g.okCheckout && strcasecmp(zArg1,"filechng")==0 ){
       return SQLITE_IGNORE;
-    }else if( !g.okCheckout && sqlite3StrICmp(zArg1,"file")==0 ){
+    }else if( !g.okCheckout && strcasecmp(zArg1,"file")==0 ){
       return SQLITE_IGNORE;
-    }else if( !g.okCheckout && sqlite3StrICmp(zArg1,"inspect")==0 ){
+    }else if( !g.okRead && strcasecmp(zArg1,"inspect")==0 ){
       return SQLITE_IGNORE;
-    }else if( !g.okRead && sqlite3StrICmp(zArg1,"ticket")==0 ){
+    }else if( !g.okRead && strcasecmp(zArg1,"ticket")==0 ){
       return SQLITE_IGNORE;
-    }else if( !g.okRead && sqlite3StrICmp(zArg1,"tktchng")==0 ){
+    }else if( !g.okRead && strcasecmp(zArg1,"tktchng")==0 ){
       return SQLITE_IGNORE;
-    }else if( !g.okRdWiki && sqlite3StrICmp(zArg1,"attachment")==0 ){
+    }else if( !g.okRdWiki && strcasecmp(zArg1,"attachment")==0 ){
       return SQLITE_IGNORE;
-    }else if( !g.okRdWiki && sqlite3StrICmp(zArg1,"wiki")==0 ){
+    }else if( !g.okRdWiki && strcasecmp(zArg1,"wiki")==0 ){
       return SQLITE_IGNORE;
     }
     return SQLITE_OK;
@@ -326,7 +326,7 @@ char **db_query(const char *zFormat, ...){
     db_err( zErrMsg ? zErrMsg : sqlite3_errmsg(pDb), zSql,
             "db_query: Database query failed" );
   }
-  free(zSql);
+  sqlite3_free(zSql);
   if( sResult.azElem==0 ){
     db_query_callback(&sResult, 0, 0, 0);
   }
@@ -385,7 +385,7 @@ char *db_short_query(const char *zFormat, ...){
     db_err( zErrMsg ? zErrMsg : sqlite3_errmsg(pDb), zSql,
             "db_short_query: Database query failed" );
   }
-  free(zSql);
+  sqlite3_free(zSql);
   return zResult;
 }
 
@@ -409,7 +409,7 @@ void db_execute(const char *zFormat, ...){
   if( rc!=SQLITE_OK ){
     db_err(zErrMsg, zSql, "db_execute: Database execute failed");
   }
-  free(zSql);
+  sqlite3_free(zSql);
 }
 
 /*
@@ -448,7 +448,7 @@ int db_exists(const char *zFormat, ...){
   if( rc!=SQLITE_OK ){
     db_err(zErrMsg, zSql, "db_exists: Database exists query failed");
   }
-  free(zSql);
+  sqlite3_free(zSql);
   return iResult;
 }
 
@@ -470,6 +470,7 @@ char *db_query_check(const char *zFormat, ...){
   db_restrict_query(1);
   rc = sqlite3_exec(pDb, zSql, 0, 0, &zErrMsg);
   db_restrict_query(0);
+  sqlite3_free(zSql);
   return (rc!=SQLITE_OK) ? zErrMsg : 0;
 }
 
@@ -538,7 +539,7 @@ void db_callback_query(
     db_err(zErrMsg ? zErrMsg : sqlite3_errmsg(pDb), zSql,
            "db_callback_query: Database query failed");
   }
-  free(zSql);
+  sqlite3_free(zSql);
 }
 
 /*
@@ -565,7 +566,7 @@ void db_callback_execute(
     db_err(zErrMsg ? zErrMsg : sqlite3_errmsg(pDb), zSql,
            "db_callback_execute: Database query failed");
   }
-  free(zSql);
+  sqlite3_free(zSql);
 }
 
 /*
@@ -672,7 +673,6 @@ static void f_cgi(sqlite3_context *context, int argc, 
 ** name as an argument and returns the value that the user enters in the
 ** resulting HTML form. A second optional parameter provides a default value.
 */
-extern int sqlite3StrICmp(const char*, const char*);
 static void f_aux(sqlite3_context *context, int argc, sqlite3_value **argv){
   int i;
   const char *zParm;
@@ -682,7 +682,7 @@ static void f_aux(sqlite3_context *context, int argc, 
   if( zParm==0 ) return;
 
   for(i=0; i<g.nAux && g.azAuxName[i]; i++){
-    if( sqlite3StrICmp(zParm,g.azAuxName[i])==0 ){
+    if( strcasecmp(zParm,g.azAuxName[i])==0 ){
       if( g.azAuxVal[i] ){
         sqlite3_result_text(context, g.azAuxVal[i], -1, SQLITE_STATIC);
       }
@@ -712,7 +712,6 @@ static void f_aux(sqlite3_context *context, int argc, 
 ** currently selected value.  Results may be a single value column or
 ** two value,description columns.  The first result row is the default.
 */
-extern int sqlite3StrICmp(const char*, const char*);
 static void f_option(sqlite3_context *context, int argc, sqlite3_value **argv){
   const char *zParm;
   int i;
@@ -722,7 +721,7 @@ static void f_option(sqlite3_context *context, int arg
   if( zParm==0 ) return;
 
   for(i=0; i<g.nAux && g.azAuxName[i]; i++){
-    if( sqlite3StrICmp(zParm,g.azAuxName[i])==0 ){
+    if( strcasecmp(zParm,g.azAuxName[i])==0 ){
       if( g.azAuxVal[i] ){
         sqlite3_result_text(context, g.azAuxVal[i], -1, SQLITE_STATIC);
       }
